Pages

April 25, 2013

Pursuing criminal hacking groups is high on the FBI’s list of priorities—but the bureau is adopting some hacking techniques of its own. And a Texas judge isn’t happy about it.

On Monday, a judge denied an FBI request to install a spy Trojan on a computer in an unknown location in order to track down a suspected fraudster. The order rejecting the request revealed that the FBI wanted to use the surveillance tool to covertly infiltrate the computer and take photographs of its user through his or her webcam. The plan also included recording Internet activity, user location, email contents, chat messaging logs, photographs, documents, and passwords.

As the Wall Street Journalreported, Houston magistrate Judge Stephen Smith said that he could not approve the “extremely intrusive” tactic because the FBI did not know the location or identity of the suspect and could not guarantee the spy software would not end up targeting innocents. Smith wrote in a 13-page memorandum:

What if the Target Computer is located in a public library, an Internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit email address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the email address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the Government’s application does not supply them.

According to court documents, the FBI wanted to use the software to identify a person responsible for allegedly violating computer security laws and committing federal bank fraud and identity theft. A criminal is said to have infiltrated the email of a Texas man and later tried to steal a “sizable” amount of money from his bank by transferring it to a foreign account. But investigators apparently admitted that they did not know the physical location of the suspect, creating a major legal roadblock in gaining surveillance approval. There are rules in place that put territorial limits on magistrate judges’ authority, so that they can issue warrants only for their own districts—in this case, the Southern District of Texas. Smith made it clear in his refusal that he was particularly uncomfortable authorizing the feds to “hack a computer” that could have been based anywhere in the world.

Perhaps what is most interesting is the level of detail the memorandum discloses about the surveillance technology at the FBI’s disposal. Back in 2007, the bureau was revealedto be using a spyware that could infect computers and gather IP addresses, the last visited website address, and a range of other metadata. But the spy Trojan disclosed in the Houston documents is far more advanced, capable of copying content and turning a person’s webcam effectively into a surveillance camera. According to Smith:

[T]he Government’s data extraction software will activate the Target Computer’s built-in-camera and snap photographs sufficient to identify the persons using the computer. The Government couches its description of this technique in terms of “photo monitoring,” as opposed to video surveillance, but this is a distinction without a difference. In between snapping photographs, the Government will have real time access to the camera’s video feed.

Sophisticated spy Trojans like the one described above are sold by companies that sell only to governments and law enforcement agencies—like England’s Gamma Group, which has developed a line of controversial “FinFisher” Trojan tools. It is possible that the FBI could have developed its own Trojan, but equally it may have procured the technology from a private company. Last month, I asked the feds whether they had ever purchased Gamma’s spyware, following a report that FinFisher servers had been detected in the United States. However, a spokesman for the bureau said that as a matter of policy it would not discuss “specific law enforcement tactics, techniques, or procedures, and we likewise would not be able to confirm specific products or services that the FBI may or may not purchase or use.”